[wassupsergio]

yes I did.

[Advertisements]

Logfile of HijackThis v1.99.1
Scan saved at 8:40:04 PM, on 4/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\SOINTGR.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dkdc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\LiveChatNow! Enterprise Edition\LiveChatNow.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcfcorp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcfcorp.com/
O1 - Hosts: 170.149.191.196 CTIPrimary
O1 - Hosts: 170.149.191.197 CTISecondary
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINNT\SOINTGR.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcfcorp.com/
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BE21E3AA-5EC1-413A-B7D2-58FCF75F1EFB} (MSSR210Ctrl Class) - http://pcf-op-file-0...der/MSSR210.OCX
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C862CDC-F9AB-43A2-B138-C4CE5499C1B6}: Domain = pcf.nytimes.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

this is a new one I just got today.

[wassupsergio]

Logfile of HijackThis v1.99.1
Scan saved at 8:40:04 PM, on 4/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\SOINTGR.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dkdc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\LiveChatNow! Enterprise Edition\LiveChatNow.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcfcorp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcfcorp.com/
O1 - Hosts: 170.149.191.196 CTIPrimary
O1 - Hosts: 170.149.191.197 CTISecondary
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINNT\SOINTGR.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcfcorp.com/
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BE21E3AA-5EC1-413A-B7D2-58FCF75F1EFB} (MSSR210Ctrl Class) - http://pcf-op-file-0...der/MSSR210.OCX
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C862CDC-F9AB-43A2-B138-C4CE5499C1B6}: Domain = pcf.nytimes.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

this is a new one I just got today.

[don77]

Sorry I overlooked your post,
Please post a fresh FindQoologic log please

[wassupsergio]

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* urllogic C:\WINNT\AOAVK.DLL
* qoologic C:\WINNT\AOAVK.DLL
* qoologic C:\WINNT\UNADBEH.EXE

* ad-beh C:\WINNT\System32\NKNQA.DLL
* ad-beh C:\WINNT\System32\PIPBGES.DLL
* ad-beh C:\WINNT\System32\CNCQOXD.EXE
* ad-beh C:\WINNT\System32\RPRLNA.EXE
* ad-beh C:\WINNT\System32\RPRLNA~1.EXE
* ad-beh C:\WINNT\System32\QAQYV.DAT
* ad-beh C:\WINNT\System32\WMCONFIG.CPL
* ad-beh C:\WINNT\UNADBEH.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\DKDC.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
dkdc.exe

User Startup:
C:\Documents and Settings\lopezs\Start Menu\Programs\Startup
.
..

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 22:05
Operating System: Windows 2000


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINNT\inf\unregmp2.exe /ShowWMP" [MS]
">{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default)" = "Outlook Express Access"
\StubPath = ""C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE" [MS]

[don77]

We have to probably run through this a few times, A caouple of the files have been killed but we need to double check for the removal of the each time, So we will run through it again please

Ok please print out these instructions or save to notebook so you have them Available,



[*]Please download the Killbox.
[*]Unzip it to the desktop but do NOT run it yet.
[*]Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
[*]Once in Safe Mode, please run Killbox.
[*]Click "Replace on Reboot" and check the "Use Dummy" box.
[*]Paste the following into the top "Full Path of File to Delete" box.

• C:\WINDOWS\System32\ rprlna.exe

[*]Click the red-and-white "Delete File".
[*]Click "Yes" at the Replace on Reboot prompt.
[*]Click "No" at the Pending Operations prompt.
[*]Repeat steps 5-9 above for these files:

• C:\WINNT\AOAVK.DLL
• C:\WINNT\AOAVK.DLL
• C:\WINNT\UNADBEH.EXE
  
• C:\WINNT\System32\NKNQA.DLL
• C:\WINNT\System32\PIPBGES.DLL
• C:\WINNT\System32\CNCQOXD.EXE
• C:\WINNT\System32\RPRLNA.EXE
• C:\WINNT\System32\QAQYV.DAT
• C:\WINNT\System32\WMCONFIG.CPL
• C:\WINNT\UNADBEH.EXE
• C:\WINNT\system32\cncqoxd.exe

[*]Click "Replace on Reboot" and check the "Use Dummy" box.
[*]Paste the following file into the top " C:\docume~1\alluse~1\startm~1\programs\startup\DKDC.EXE " box.

• Click the red-and-white "Delete File" button.
• Click "Yes" at the Replace on Reboot prompt.
• Click "Yes" at the Pending Operations prompt to restart your computer. You do not need to reboot into Safe Mode this time.
• When your computer reboots, please run Find-Qoologic2.bat again and post the new log here.

[wassupsergio]

Hi I managed to get it fixed. I get the error no more and no more pop ups rprlna.exe is still running but I dont' give it much issue as everything is running fine liek before. Thank you for your help. If you ever need webspace for your site or anything let me know I do run a company lest I could do for your help.

[don77]

If you wish, but we were getting close on it,

Your decision,

Don

[wassupsergio]

yeah it okay since it my work computer I don't care if it was my house I might thanks alot.

[don77]

OK fair enough, LOL
Get the boss to buy you a new one

[wassupsergio]

yeah easy as that well IT would fix it. or just give me another one.

[don77]

wassupsergio, well I guess good luck to you, wish we could have finished it off for you,

I will close the topic,

Good luck to you,

Thanks
Don